Prerequisites

Enable API access and token authentication

• Enable REST API access for your Splunk Cloud Platform deployment. See Accessing the Splunk Cloud Platform REST API.

• Enable token authentication. See Enable token authentication for a Splunk platform instance.

Install Splunk AI Assistant for SPL

To enable AI tools such as generate_spl, explain_spl, optimize_spl & ask_splunk_question be available in the MCP server, Splunk AI Assistant for SPL must be installed. Read more at Install and use Splunk AI Assistant for SPL.

MCP hosting methods

Configure your MCP server based on your chosen deployment method. For more information about deployment methods, see the "Key differences" table in this manual.

Configure role based access to the MCP server in order to allow Splunk's On-Cloud MCP server to connect to your Splunk Cloud Platform software deployment. Your administrator must configure role-based access to the MCP server for Splunk Platform.

• Create a new role named mcp_user. This role does not require any capabilities.

• Assign the mcp_user role to the users that are authorized to use the MCP server functionality.

• Set the appropriate expiration if the user does not have the permission to create their own token.

• You might be prompted to restart your Splunk deployment for the new capabilities to be available.

• Configure capability-based access to the MCP server: Add the new 'mcp_tool_execute' capability to roles, existing or new, that are authorized to use the MCP server functionality.

• Configure IP allow list (Splunk Cloud Platform only): App 0.0.0.0/0 to the IP allow list for Search Head API access. See Configure IP allow lists for Splunk Cloud Platform for more information.